Network Controls
When considering a Network Control design or redeployment organisations should first understand the road to compliance and assuring that every control is aligned. Such that it may play its part (Risk, Availability and Agility). To do this:
- Build identity context into your incident handling to improve Visibility.
- Build a security dashboard to assist in measuring compliance and monitoring key risks
- Re-define / Assess the Security Governance and Assurance process, with a focus on agility and validation (Testing)
- Define and communicate the operating model with a focus on structure, framework and supporting artifacts
- Define and communicate the security services and application security bluepoints leveraging virtualized and on-demand service delivery.
Security priorities should be mapped to business priorities to establish relevance and show support for the organisational mission.
To be able to design your network security system understanding your sensitive information and infrastructure is paramount. If you can answer the logical categorisation of information and infrastructure than you can effectively segregate your network into the appropriate zones. These zones can be assessed and the varying degrees of security controls can be applied to restrict and control access.
Sensitivity Levels
- Devices and systems providing services for the external networks (e.g. the Internet) should be located in different zones (DMZ) than the internal network devices.
- Strategic IT system resources (sensitive), should be located in the dedicated security zones
- Devices and systems of low trust, such as remote access servers, should be located in dedicated security zones.
Resource types
- User workstations should be in a different security zone than servers
- Network and Security management systems should be in dedicated security zones as they act between the layers
- Systems in a development stage should be located in different zones than the production systems
As a final note, the risk analysis and security design primarily focuses on the most valuable IT system resources. However, the scope of your controls should not be focused in such a manner. An attacker is going to seek access to the weakest areas and exploit this, to penetrate your network further and gain access to more valuable resources.
Good Article Ben. I would also add that after design and implementation, regular auditing is required to ensure that the standards have been maintained. Particularly in Production Environments where data is most sensitive.